Unmasking Novell's identity plans

Bandit country

Common Topics

Identity systems such as Higgins and InfoCard give us new ways of storing and exchanging information about users; good news for users and developers.

The other half of the picture is managing and auditing those identities and the roles they correspond to, so you can use identities for role-based access control; the features both developers and administrators need to have.

That's one of the pieces Novell's new open source identity management project Bandit aims to address. It's less about providing identities and more about providing common identity services such as authentication, roles, policy and compliance reporting.

The name (apparently a common dog name in the US rather than a reference to masked men), plays on the old joke that on the internet, nobody knows you're a dog; along with the idea of dogtags. More prosaically, according to Novell distinguished engineer Dale Olds, "Bandit focuses on open source implementations of components needed to provide a consistent experience of identity to users and administrators. In practice, this means that we are not advocating a new protocol or standard, but provide implementations and 'glue' for existing standards and systems.";

You can use these components in your applications and network services, working with existing protocols and APIs. Olds believes that Bandit will simplify federating identities from multiple sources (say, LDAP directories and SQL databases) for authenticating users and calculating roles.

"The developer simply uses Bandit components and does not need to know how to code to specific systems or what authentication method or identity repository is used - these things can be configured at installation time rather than during development."

If that sounds like the Higgins Project, it's no coincidence. Bandit builds on Higgins, which you can think of as a unifying API for different identity systems. Many Bandit components are built on top of the Higgins Identity attribute service, adding higher-level services like role calculations and audit record reporting. Bandit also implements new Higgins Context Providers, extending the number of identity systems Higgins covers to include Novell's eDirectory.

There are components from SUSE Linux; the authentication services component (CASA) and the identity database (FLAIM). FLAIM is the database used by eDirectory and GroupWise; Olds calls it a scalable repository for the semi-structured data common to identity systems. There's also a credential store that synchronises passwords and other credentials among various Linux system services.

Put it all together and you could log on to a Linux workstation securely, using a smartcard and LDAP and have your name and credentials captured by CASA.

When you visit a website that uses Bandit, a browser extension will detect this, ask you which identity you want to provide to the site and what information you're willing to make available (which doesn't have to be everything the site is asking for) and then use CASA and the Higgins identity framework to log in the identity stores that have your credentials in – including the original LDAP server.

You see that the information has been transferred and you get on with your browsing or shopping without having typed in yet another password. Head to another Bandit-powered site and you might be asked for information again; you get to choose which identity to give each site and which details to disclose.

While Bandit is a long way from being finished, Olds encourages developers to start working with it – and to give feedback on what they want to see. Given Novell's investment in eDirectory, it's not surprising that Bandit doesn't mean replacing any existing directory services or metadirectory services you may already have in place.

Instead, Olds claims: "They make it easier for developers to write applications and services that use and integrate those identity systems. Developers can use Bandit and Higgins to access such systems without knowing specific mechanisms and protocols. Therefore, they can focus more on identity services and such emerging diverse areas as reputation and compliance verification."

Bandit is building part of what Olds calls the "identity fabric", similar to the "identity metasystem" Microsoft's Kim Cameron refers to; an abstraction layer for identity that lets you work with the same identity concepts and services across multiple systems.

This isn’t co-incidence – or rivalry. Bandit provides some of the pieces for an identity infrastructure; others come from Higgins, Microsoft, the Liberty Alliance, the WS-* standards and other players in the identity world, and they're all beginning to interoperate.

According to Paul Trevithick of the Higgins project: "What you're starting to see is the emergence of several key open source projects in the identity space, and increasing levels of cooperation between them. Higgins working with Bandit is just one example of this."

Similarly, the open source OSIS identity selector project is more than a way to work on open source implementations of InfoCard. It's the major identity players – including Microsoft, Novell, IBM and Verisign – getting together with the open source community to pull together the new identity systems to give the internet the workable identity platform it needs. ®